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To establish duties for online service providers with respect to end user 
data that such providers collect and use. 


IN THE SENATE OF THE UNITED STATES 


Mr. Sciiatz (for himself, Ms. Hassan, Mr. Bennet, Ms. Duckworth, Ms. 
Klobucilar, Mrs. Murray, Mr. Booker, Ms. Cortez Masto, Mr. 
Heinrich, Mr. Mar key, Mr. Brown, Ms. Baldwin, Mr. Jones, Mr. 
Manchin, and Mr. Durbin) introduced the following bill; which was read 
twice and referred to the Committee on 


A BILL 

To establish duties for online service providers with respect 
to end user data that such providers collect and use. 

1 Be it enacted by the Senate and House of Representa- 

2 tives of the United States of America in Congress assembled, 

3 SECTION 1. SHORT TITLE. 

4 This Act may be cited as the “Data Care Act of 

5 2018”. 

6 SEC. 2. DEFINITIONS. 

7 In this Act— 

8 (1) the term “Commission” means the Federal 


9 


Trade Commission; 
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(2) the term “end user” means an individual 
who engages with an online service provider or logs 
into or uses services provided by the online service 
provider over the internet or any other digital net¬ 
work; 

(3) the term “individual identifying data” 
means any data that is— 

(A) collected over the internet or any other 
digital network; and 

(B) linked, or reasonably linkable, to— 

(i) a specific end user; or 

(ii) a computing device that is associ¬ 
ated with or routinely used by an end user; 

(4) the term “online service provider” means an 
entity that— 

(A) is engaged in interstate commerce over 
the internet or any other digital network; and 

(B) in the course of business, collects indi¬ 
vidual identifying data about end users, includ¬ 
ing in a manner that is incidental to the busi¬ 
ness conducted; and 

(5) the term “sensitive data” means any data 
that includes— 

(A) a social security number; 
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(B) personal information (as defined in 
section 1302 of tlie Children’s Online Privacy 
Protection Act of 1998 (15 U.S.C. 6501)) col¬ 
lected from a child (as defined in sncli section 
1302); 

(C) a driver’s license number, passport 
number, military identification number, or any 
other similar number issued on a government 
document used to verify identity; 

(D) a financial account number, credit or 
debit card number, or any required security 
code, access code, or password that is necessary 
to permit access to a financial account of an in¬ 
dividual; 

(E) unique biometric data such as a finger 
print, voice print, a retina or iris image, or any 
other unique physical representation; 

(F) information sufficient to access an ac¬ 
count of an individual, such as user name and 
password or email address and password; 

(G) the first and last name of an indi¬ 
vidual, or first initial and last name, or other 
unique identifier in combination with— 

(i) the month, day, and year of birth 

of the individual; 



OLL18800 


S.L.C. 


1 (ii) the maiden name of the mother of 

2 the individual; or 

3 (iii) the past or present precise 

4 geolocation of the individual; 

5 (H) information that relates to— 

6 (i) the past, present, or future phys- 

7 ical or mental health or condition of an in- 

8 dividual; or 

9 (ii) the provision of health care to an 

10 individual; and 

11 (I) the nonpublic communications or other 

12 nonpublic user-created content of an individual. 

13 SEC. 3. PROVIDER DUTIES. 

14 (a) In General. —-An online service provider shall 

15 fulfill the duties of care, loyalty, and confidentiality under 

16 paragraphs (1), (2), and (3), respectively, of subsection 


17 (b). 


(b) Duties. - 


(1) Duty of care.— An online service provider 


shall— 


(A) reasonably secure individual identifying 
data from unauthorized access: and 


24 


(B) subject to subsection (c), promptly in¬ 
form an end user of any breach of the duty de- 
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scribed in subparagraph (A) of this paragraph 
with respect to sensitive data of that end user. 

(2) Duty of loyalty.— An online service pro¬ 
vider may not use individual identifying data, or 
data derived from individual identifying data, in any 
way that— 

(A) will benefit the online service provider 
to the detriment of an end user; and 

(B) (i) will result in reasonably foreseeable 
and material physical or financial harm to an 
end user; or 

(ii) would be unexpected and highly offen¬ 
sive to a reasonable end user. 

(3) Duty of confidentlylity.— An online 
service provider— 

(A) may not disclose or sell individual 
identifying data to, or share individual identi¬ 
fying data with, any other person except as con¬ 
sistent with the duties of care and loyalty under 
paragraphs (1) and (2), respectively; 

(B) may not disclose or sell individual 
identifying data to, or share individual identi¬ 
fying data with, any other person unless that 
person enters into a contract with the online 
service provider that imposes on the person the 
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1 same duties of care, loyalty, and confidentiality 

2 toward the applicable end user as are imposed 

3 on the online service provider under this sub- 

4 section; and 

5 (C) shall take reasonable steps to ensure 

6 that the practices of any person to whom the 

7 online service provider discloses or sells, or with 

8 whom the online service provider shares, indi- 

9 vidual identifying data fulfill the duties of care, 

10 loyalty, and confidentiality assumed by the per¬ 
il son under the contract described in subpara- 

12 graph (B), including by auditing, on a regular 

13 basis, the data security and data information 

14 practices of any such person. 

15 (c) Expansion of Duty to Inform Regarding 

16 Breaches. —The Commission may promulgate regula- 

17 tions under section 553 of title 5, United States Code, 

18 to apply the breach notification requirement under sub- 

19 section (b)(1)(B) with respect to specific categories of in- 

20 dividual identifying data other than sensitive data, as the 

21 Commission determines necessary. 

22 (d) Exceptions. — 

23 (1) Regulations. —The Commission may pro- 

24 mulgate regulations under section 553 of title 5, 

25 United States Code, to exempt categories of online 
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service providers from the requirement under sub¬ 
section (a). 

(2) Considerations. —In promulgating regu¬ 
lations under paragraph (1), the Commission shall 
consider, among other factors— 

(A) the privacy risks posed by the use of 
individual identifying data by an online service 
provider based on— 

(i) the size of the provider; 

(ii) the complexity of the offerings of 
the provider; 

(iii) the nature and scope of the ac¬ 
tivities of the provider; and 

(iv) the sensitivity of the consumer in¬ 
formation handled by the provider; and 

(B) the costs and benefits of applying the 
requirement under subsection (a) to online serv¬ 
ice providers with particular combinations of 
characteristics considered under subparagraph 
(A) of this paragraph. 

SEC. 4. ENFORCEMENT. 

(a) Enforcement by Commission.— 

(1) Unfair or deceptive acts or prac¬ 
tices.—A violation of section 3 by an online sendee 
provider shall be treated as a violation of a rule de- 
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fining an unfair or deceptive act or practice pre¬ 
scribed under section 18(a)(1)(B) of the Federal 
Trade Commission Act (15 U.S.C. 57a(a)(l)(B)). 

(2) Powers of commission.— 

(A) In general. —Except as provided in 
subparagraph (C), the Commission shall enforce 
this Act in the same manner, by the same 
means, and with the same jurisdiction, powers, 
and duties as though all applicable terms and 
provisions of the Federal Trade Commission 
Act (15 U.S.C. 41 et seq.) were incorporated 
into and made a part of this Act. 

(B) Privileges and immunities.— Ex¬ 
cept as provided in subparagraph (C), any per¬ 
son who violates section 3 shall be subject to 
the penalties and entitled to the privileges and 
immunities provided in the Federal Trade Com¬ 
mission Act (15 U.S.C. 41 et seq.). 

(C) Nonprofit organ iza tions and com¬ 
mon carriers.— Notwithstanding section 4 or 
5(a)(2) of the Federal Trade Commission Act 
(15 U.S.C. 44, 45(a)(2)) or any jurisdictional 
limitation of the Commission, the Commission 
shall also enforce this Act, in the same manner 


24 
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provided in subparagraphs (A) and (B) of this 
paragraph, with respect to— 

(i) organizations not organized to 
carry on business for their own profit or 
that of their members; and 

(ii) common carriers subject to the 
Communications Act of 1934 (47 U.S.C. 
151 et seq.). 

(3) Rulemaking authority. —The Commis¬ 
sion shall promulgate regulations under this Act in 
accordance with section 553 of title 5, United States 
Code. 

(b) Enforcement by States.— 

(1) Authorization.— Subject to paragraph 
(3), in any case in which the attorney general of a 
State has reason to believe that an interest of the 
residents of the State has been or is threatened or 
adversely affected by the engagement of an online 
service provider in a practice that violates section 3, 
the attorney general of the State may, as parens 
patriae, bring a civil action against the online service 
provider on behalf of the residents of the State in 
an appropriate district court of the United States to 
obtain appropriate relief, including civil penalties in 
the amount determined under paragraph (2). 
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(2) Civil penalties.— An online service pro¬ 
vider that is found, in an action brought under para¬ 
graph (1), to have knowingly or repeatedly violated 
section 3 shall, in addition to any other penalty oth¬ 
erwise applicable to a violation of section 3, be liable 
for a civil penalty equal to the amount calculated by 
multiplying— 

(A) the greater of— 

(i) the number of days during which 
the online service provider was not in com¬ 
pliance with that section; or 

(ii) the number of end users who were 
harmed as a result of the violation, by 

(B) an amount not to exceed the maximum 
civil penalty for which a person, partnership, or 
corporation may be liable under section 
5(m)(l)(A) of the Federal Trade Commission 
Act (15 U.S.C. 45(m)(l)(A)) (including any ad¬ 
justments for inflation). 

(3) Eights of federal trade commis¬ 
sion.— 

(A) Notice to federal t rad e commis¬ 
sion.— 

(i) In general. —Except as provided 
in clause (iii), the attorney general of a 
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State shall notify the Commission in wilt¬ 
ing that the attorney general intends to 
bring a civil action under paragraph (1) 
before initiating the civil action. 

(ii) Contents.— The notification re¬ 
quired under clause (i) with respect to a 
civil action shall include a copy of the com¬ 
plaint to be filed to initiate the civil action. 

(iii) Exception.— If it is not feasible 
for the attorney general of a State to pro¬ 
vide the notification required under clause 
(i) before initiating a civil action under 
paragraph (1), the attorney general shall 
notify the Commission immediately upon 
instituting the civil action. 

(B) Intervention by federal trade 
COMMISSION.— The Commission may— 

(i) intervene in any civil action 
brought by the attorney general of a State 
under paragraph (1); and 

(ii) upon intervening— 

(I) be heard on all matters aris¬ 
ing in the civil action; and 

(II) file petitions for appeal of a 
decision in the civil action. 
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1 (4) Investigatory powers. —Nothing in this 

2 subsection may be construed to prevent the attorney 

3 general of a State from exercising the powers con- 

4 ferred on the attorney general by the laws of the 

5 State to— 

6 (A) conduct investigations; 

7 (B) administer oaths or affirmations; or 

8 (C) compel the attendance of witnesses or 

9 the production of documentary or other evi- 

10 dence. 

11 (5) Preemptive action by federal trade 

12 COMMISSION. —If the Commission institutes a civil 

13 action or an administrative action with respect to a 

14 violation of section 3, the attorney general of a State 

15 may not, during the pendency of the action, bring a 

16 civil action under paragraph (1) against any defend- 

17 ant named in the complaint of the Commission 

18 based on the same set of facts giving rise to the al- 

19 leged violation with respect to which the Commission 

20 instituted the action. 

21 (6) Venue; service of process. — 

22 (A) Venue. —-Any action brought under 

23 paragraph (1) may be brought in— 

24 


25 


(i) the district court of the United 
States that meets applicable requirements 
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relating to venue under section 1391 of 
title 28, United States Code; or 

(ii) another court of competent juris¬ 
diction. 

(B) Service of process.— In an action 
brought under paragraph (1), process may be 
served in any district in which the defendant— 

(i) is an inhabitant; or 

(ii) may be found. 

(7) Actions by other state offic ial s.— 

(A) In general. —In addition to civil ac¬ 
tions brought by attorneys general under para¬ 
graph (1), any other consumer protection offi¬ 
cer of a State who is authorized by the State 
to do so may bring a civil action under para¬ 
graph (1), subject to the same requirements 
and limitations that apply under this subsection 
to civil actions brought by attorneys general. 

(B) Savings provision.— Nothing in this 
subsection may be construed to prohibit an au¬ 
thorized official of a State from initiating or 
continuing any proceeding in a court of the 
State for a violation of any civil or criminal law 
of the State. 



OLL18800 


S.L.C. 


14 

1 SEC. 5. NONENFORCEABILITY OF CERTAIN PROVISIONS 

2 WAIVING RIGHTS AND REMEDIES. 

3 Tlie rights and remedies provided under this Act may 

4 not be waived or limited by contract or otherwise. 

5 SEC. 6. RELATION TO OTHER PRIVACY AND SECURITY 

6 LAWS. 

7 Nothing in this Act may be construed to— 

8 (1) modify, limit, or supersede the operation of 

9 any privacy or security provision in any other Fed- 

10 eral or State statute or regulation; or 

11 (2) limit the authority of the Commission under 

12 any other provision of law. 

13 SEC. 7. EFFECTIVE DATE. 

14 (a) In General. —This Act shall take effect on the 

15 date of enactment of this Act. 

16 (b) Applicability. —Section 3 shall apply with re- 

17 spect to an online service provider on and after the date 

18 that is 180 days after the date of enactment of this Act. 



